Using Code Pathfinder's variant analysis to uncover an unpatched path traversal in Langflow's Knowledge Bases API — a variant of CVE-2026-33497 enabling arbitrary directory deletion, JWT secret deletion, and cross-user KB deletion. Fixed in v1.9.0.